General

  • Target

    Veno.exe

  • Size

    5.2MB

  • Sample

    241224-k7eldatlfy

  • MD5

    1fd54055c3703fba5e110b0e68fd434b

  • SHA1

    26845bbcd373bb281891699f49541454598edfcf

  • SHA256

    c74979f0e2b603d690941c512cf4aa6824aea56aa6de9c333d2be13f4dde65f6

  • SHA512

    50f5688c5a97de64f8f78cd767a18e52fe830ec1321744535f3dc84d2f6a7a68af247171a5d7e0b6b8528c098aaaae09cde1b70a896838a82ef580064e81722b

  • SSDEEP

    98304:Aqw6Y+PiWjIOMLRqWqZD0ofvE7TY5kGdRUy4bz6cCMHps/KHNNiVakHoxdy:Aqw65PhVM83nEaLRU9z3CeaK0V4xI

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTMxNzcyMDg5MTkzMjY3NjEyNw.GR4BZy.jjTYOTYEIjYBpgSrr1GXK-BhAoku0-amSnOglA

  • server_id

    1317719739920810024

Targets

    • Target

      Veno.exe

    • Size

      5.2MB

    • MD5

      1fd54055c3703fba5e110b0e68fd434b

    • SHA1

      26845bbcd373bb281891699f49541454598edfcf

    • SHA256

      c74979f0e2b603d690941c512cf4aa6824aea56aa6de9c333d2be13f4dde65f6

    • SHA512

      50f5688c5a97de64f8f78cd767a18e52fe830ec1321744535f3dc84d2f6a7a68af247171a5d7e0b6b8528c098aaaae09cde1b70a896838a82ef580064e81722b

    • SSDEEP

      98304:Aqw6Y+PiWjIOMLRqWqZD0ofvE7TY5kGdRUy4bz6cCMHps/KHNNiVakHoxdy:Aqw65PhVM83nEaLRU9z3CeaK0V4xI

    • Discord RAT

      A RAT written in C# using Discord as a C2.

    • Discordrat family

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks